nixos-config/hosts/defiant/services/hedgedoc.nix

118 lines
3.2 KiB
Nix
Raw Normal View History

{ config, pkgs, lib, ... }:
let
cfg = config.services.hedgedoc.settings;
domain = "md.feal.no";
port = 3300;
host = "127.0.1.2";
authServerUrl = "https://auth.feal.no";
in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = {
restartUnits = [ "hedgedoc.service" ];
};
services.hedgedoc = {
enable = true;
environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = {
inherit domain port host;
protocolUseSSL = true;
sessionSecret = "$CMD_SESSION_SECRET";
allowFreeURL = true;
allowAnonymous = false;
allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
# dbURL = "postgres://hedgedoc@localhost/hedgedoc";
db = {
username = "hedgedoc";
database = "hedgedoc";
host = "/run/postgresql";
dialect = "postgresql";
};
email = false;
oauth2 = {
baseURL = "${authServerUrl}/oauth2";
tokenURL = "${authServerUrl}/oauth2/token";
authorizationURL = "${authServerUrl}/ui/oauth2";
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
clientID = "hedgedoc";
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
scope = "openid email profile";
userProfileUsernameAttr = "name";
userProfileEmailAttr = "email";
userProfileDisplayNameAttr = "displayname";
providerName = "KaniDM";
};
};
};
systemd.services.hedgedoc = {
requires = [
"postgresql.service"
# "kanidm.service"
];
serviceConfig = let
workDir = "/var/lib/hedgedoc";
in {
WorkingDirectory = lib.mkForce workDir;
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
# Better safe than sorry :)
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [ workDir ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
# SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
};
};
services.postgresql = {
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{
name = "hedgedoc";
ensureDBOwnership = true;
}];
};
services.nginx.virtualHosts."${domain}" = {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://${host}:${toString port}";
};
"/socket.io" = {
proxyPass = "http://${host}:${toString port}";
proxyWebsockets = true;
};
};
};
}